Even after suffering a data breach, the organization in charge of overseeing the needs of credit unions has cast off the idea of implementing a rule mandating the use of encryption for data transfers.
Despite the breach, the National Association of Federal Credit Unions, or NAFCU, is insisting that many credit unions follow best practices, and that any additional regulations would be unnecessary.
Alicia Nealon, the NAFCU’s Director of Regulatory Affairs, dismissed the idea of data encryption rule on Wednesday, contending that credit unions must already follow data security requirements and instead of imposing a law mandating information be encrypted, they should look into better ways to protect credit union members’ data.
“Rather than promulgating additional regulatory burdens on credit unions, NCUA (National Credit Union Administration) should take a look internally at what actions the agency can take to better protect the credit union data in its care,” Nealon said in a press release on Wednesday.
The statement stems from a comment Debbie Matz, the Board Chairman for the NCUA, made earlier this week when she mentioned to the Credit Union Times that the agency was considering proposing a data encryption rule following a data breach the agency dealt with at the tail end of 2014.
“We are contemplating a rule, which would require encryption…” Matz told the site’s Nicholas Ballasy earlier this week, “Short of requiring it, we’re really struggling trying to figure out how to prevent data breaches. That’s a very fundamental thing to do, to make sure that if the data is lost or stolen that members’ confidential information is protected.”
In December, the NCUA reported that in October, someone at the agency had lost a thumb drive containing personal credit union member information during a routine audit. That information contained the names, addresses, Social Security numbers and account numbers of around 1,600 members of the Palm Springs Federal Credit Union, a $13 million cooperative in Palm Springs, Calif.
“At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an authorized person,” Debbie Pitigliano, the credit union’s Chief Executive Officer said in a letter to members (.PDF) “All we know is that it is lost.”
Matz estimated the cost of the breach would fall somewhere between $15,000 and $20,000, a figure that NCUA has agreed to cover.
NAFCU’s stance is a bit curious however. While credit unions may have a strong track record of regulatory compliance, the NAFCU’s anti-data encryption tone doesn’t quite align with a letter its president and CEO Dan Berger penned earlier this week. In the letter, which was addressed to Senate Majority Leader Mitch McConnell, Senate Minority Leader Harry Reid, House Speaker John Boehner and House Minority Leader Nancy Pelosi, Berger claims that credit unions have first hand knowledge when it comes to dealing with the aftermath of a breach but that more can be done to prevent them.
“Data breaches in both the private and public sectors have the ability to cause irreparable harm to consumers everywhere,” Berger writes, adding that “Credit unions and other financial institutions are required to meet certain criteria for safekeeping consumers’ personal information.”
Bergen later advocates for the passing of legislation that would hold entities responsible for storing consumer data.
NCUA is an independent federal agency created by Congress to regulate credit unions but NAFCU is the trade association that represents the interests of those federal credit unions before the government.
Matz and the rest of NCUA don’t have a response per se to NAFCU’s statement, but when reached Thursday, John Fairbanks, a spokesman for the agency’s Office of Public and Congressional Affairs, claims NCUA will continue to weigh the benefits of an encryption rule.
“Following the loss of an unencrypted thumb drive containing credit union members’ data, Chairman Matz is considering whether or not an encryption rule would better protect that information,” Fairbanks said, “In the meantime, the agency is reinforcing training on protecting sensitive information, reviewing our policies and procedures in this area, and moving as quickly as possible to consider and adopt additional safeguards to protect electronic data.”
It’s expected the NCUA will make further decisions regarding shoring up its security as soon as its Inspector General concludes his look at the incident.
Starting this month, NCUA Inspector General James Hagen and his office will conduct an audit into whether the agency has the adequate controls in place to protect user information, review the agency’s decision to put off announcing the breach and investigate an alleged disclosure made by two sources at the NCUA.
Calls to the NCUA’s Inspector General, which operates independent of the NCUA, were not immediately returned.